Steve,
#Hey guys and girls I have a problem I need help on.
#Supposedly you need to open ports 1604 and 1494 for Citrix clients to
#connect to you. Now, there seems to be some kind of problem with the
Citrix
#browser if you use any type of NAT. I am being told that you have to have
#public IPs on each servers NIC because if you use any type of proxy or NAT
#than the Citrix master browser won't work. Has anyone had any experience
#with this. This seems to effect only published apps. PLEASE PLEASE PLEASE
#help me clear this up.
This is how Citrix MetaFrame works. If you are using WinFrame then I
think it works mostly the same way. Let's say I want to access Apps that I
am publishing on my MetaFrame server through a browser.
Setup:
client-----Firewall----webserver----MetaFrame browser---metframe app server
farm---data
My browser contacts the webserver where I perform authentication through
Windows NT domain authentication or something more secure like SecurID.
This is done using SSL on port 443. The web server then contacts the
MetaFrame master browser using XML and passes it the authentication. The
master browser passes a .ica back to the webserver using XML. This .ica
file contains the IP address of the metaframe server that the client is
suppose to connect too. The browser passes this file back to the client
using SSL and the connection is closed. The client now initiates a new
connectin on TCP port 1494 using the ICA protocol directly to the IP
address specified in the .ica file. You now see the list of apps that you
are allowed to use. The reason that you cannot do NAT is because NAT
changes the IP address in the packet header. It does not change the IP
address in the .ica file. If you are using 10 net IP addresses for you
MetaFrame servers then the client on the Internet will try to connect to a
10 net address.
Do the following to get MetaFrame to work. Allow Internet clients to
connect to the webserver on port 443 and allow Internet clients to connect
to the MetaFrame servers on port 1494.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
